Published: 01 May 2008
| Security and privacy teams must work together to protect personal information in the digital age.
In the digital age, privacy has become a distant memory. There is no privacy on the Internet, corporate intranet, telecommunications networks or computing devices. The lack of privacy in our everyday lives is an undeniable truth. Don't get me wrong; I am all for privacy protection. But the technical realities of today make it all too easy for outside parties to have access to information that pertains to the individual.
If you have been involved in the information technology and security fields long enough and understand how we got to where we are today, then this should ring true. It takes overt actions to protect one'sprivacy. Email messages don't encrypt themselves. IP addresses are visible for a reason. Implicit trust is placed with infrastructure service providers. Data traffic is gathered for analysis. Search queries are maintained, logged and analyzed. Technical countermeasures exist that can help protect one's privacy, but they are not without complexity. More often than not, one is required to have a deeper understanding of technology than most users have.
Information security and privacy teams within an organization must work together in addressing the lack of online privacy. It is not enough for the security team to evaluate a system and determine a level of risk based on physical and logical controls. Privacy ramifications must also be taken into consideration. Fostering a close relationship between the security and privacy offices is a must when dealing with the ubiquitous nature of technology.
The rationale is twofold. First, additional controls may be needed to safeguard personally identifiable information (PII) of employees and customers when stored, processed or transmitted. A risk may not be identified in a system pertaining specifically to PII, but use or operations of the system may indirectly affect such information. Secondly, individuals have a level of trust with organizations that store, processes or transmit their PII. They should be provided with a concise disclosure of the privacy ramifications of having their PII managed by the organization and potentially by outsourced parties.
Of course, organizations have a balancing act when it comes to privacy. They want to ensure assets are properly used and that intellectual capital is not compromised. Additionally, illegal activities that may result in a litigious action must be avoided, and time on the job should be appropriately spent. From a national security perspective, government entities in most countries monitor the telecommunication infrastructure for interesting traffic; the definition of interesting traffic is dictated by the prevailing political and social environment.
All too often, those of us who live and breathe the technical and business sides of IT and security forget that we are but a minority, compared to the 1.2 billion Internet users worldwide.
Next time you are drafting an announcement regarding a new or updated security policy, awareness training materials or all-employee memo, include the organization's privacy officer in the effort. Additionally, consider the privacy ramifications for stored, processed or transmitted employee or customer PII. Together, the security and privacy functions need to consider the multifaceted background of end users. They do not understand the threats they face online and can only identify with information security and privacy related topics as covered by the mass media. It is our duty to assist our IT-enabled workforce and customer base with an appropriate level of understanding about the exposures that exist as they navigate online and use various computing devices.